Google Reportedly Plans Stronger Authentication Options

Google already allows the use of a USB Security Key, such as this Yubikey, to safeguard account access.

In response to nation-state attackers targeting its account users, Google reportedly is planning to offer stronger authentication to politicians, corporate executives and other at-risk individuals as part of a service called the Advanced Protection Program.

Security researchers say Podesta did not appear to be using any two-factor or multi-factor authentication to protect his Gmail account. Google's two-step verification setting, for example, sends a one-time login code to a user via SMS or a voice call, or a user can tap the Google Authenticator app to generate the code.

But these additional log-in factors can be intercepted by attackers.

"SMS is the weakest and not considered secure, especially for high profile users," Chester Wisniewski, principal research scientist at British anti-virus firm Sophos, tells Information Security Media Group. "Time-based tokens like Google Authenticator are good, but can be phished. Google also offers push notifications to Android users, which are reasonably secure, but nothing really beats a physical token."

Sean Sullivan, a security adviser at Finnish anti-virus firm F-Secure, tells ISMG that phishing attackers can send victims to sites that collect their Gmail login usernames and passwords, as well as their SMS codes or one-time tokens. Working quickly, attackers can log in to victims' accounts before the codes or tokens expire.

State-Sponsored Alerts

Google began warning users in 2012 whem it suspected their accounts were being targeted by state-sponsored actors. Later, Facebook and Twitter followed suit.

Source: Google

In 2014, Google announced that Gmail and its other services would be compatible with Security Key, which it describes as "a physical USB second factor that only works after verifying the login site is truly a Google website, not a fake site pretending to be Google."

By enforcing the use of the additional APP security key, an admin could have blocked the Podesta phishing attack from happening. "With the APP key in place, Podesta would not have been able to enter his credentials into the web form on his mobile device, as part of what's needed requires a PC and a supported browser," Sullivan says. "And if he was sitting at his PC, the [phishing] form he interacts with won't have the USB key on its end when trying to login to Google. If the browser actually communicating with Google doesn't see the physical key - no access. And no access means that you can't set up additional devices."

Two Keys: Better Than One?

Google's new Advanced Protection Program will build on the physical USB Security Key, and require a second, physical USB key, Bloomberg reports.

Devices that offer U2F - for universal 2nd factor - comply with an open authentication standard designed to integrate specialized USB and NFC devices. The standard is maintained by the FIDO Alliance, for "Fast IDentity Online," which promulgates interoperable authentication standards.

"The method Google endorses is called U2F and I have used it and think it is pretty darned good," Wisniewski says, noting that he's been a Yubikey user for about 10 years. "I am not a user of Google services, so I haven't used it with them very much, but I have used it with Facebook and other services and have studied the protocol enough to be quite confident in its design and implementation."

Source: FIDO

As searching for "U2F" on Amazon.com highlights, users have dozens of potential devices at multiple price points from which to choose.

The FIDO Alliance lists nine devices from five vendors that offer FIDO U2F:

Bluink: Bluink Key

Century Longmai Technology: mFIDO U2 token

Hypersecu Information Systems: HyperFIDO Mini

Vasco: DIGIPASS SecureClick

Yubico: YubiKey 4, 4C, NEO, 4 Nano, FIDO U2F Security Key

Sullivan notes that the open hardware and software project called USB armory from Inverse Path - now part of F-Secure - is another MFA option.

Usability Versus Protection

Using a physical USB security key - or two - with Google or other services is a no-brainer for at-risk users, security experts say. In fact, many experts - including cybersecurity consultant Brian Honan, Cisco Talos Technical Leader Warren Mercer, and Chuck McAllister, endpoint security strategic adviser at CyberArk, tell ISMG that they have long used such devices, in some cases, to better secure access to their password manager.

I've been using Yubikey for a long time. They're great. Simple and integrates well with a lot.

Using physical USB keys does, however, involve a usability tradeoff, but security experts argue that it is worth it. "Adoption of a standard like U2F by more users and websites is a good thing," Wisniewski at Sophos says. "Because there is a cost involved, people will always complain a bit. It isn't quite as convenient as just typing in 'monkey123.'"

Such keys work with a variety of sites. Yubico, for example, notes that its keys can be used to better secure logins to multiple operating systems, password managers, and services such as Salesforce.com and Dropbox, among other sites and services.

But not every site offers USB security key compatibility. Sullivan, for example, says that Facebook does not appear to support hardware-based TFA or MFA options for his current browser configuration, which is Firefox on Windows.

Running Firefox on a Windows PC does not appear to be compatible with Facebook's TFA/MFA options. (Source: Sean Sullivan)

While Google and Facebook are among the more high-profile sites offering at least some U2F security key compatibility, Wisniewski says that ideally, every site would offer this capability, across all browsers and platforms. "It needs to reasonably ubiquitous to have the most impact," he says.

About the Author

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.